Analysis
-
max time kernel
118s -
max time network
58s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/01/2025, 12:10
Static task
static1
Behavioral task
behavioral1
Sample
481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe
Resource
win10v2004-20241007-en
General
-
Target
481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe
-
Size
56KB
-
MD5
4b6b9b9078efdea1d767e1bb8076e570
-
SHA1
2cefdc00441bab34f9026172fc4d19c15059b5c5
-
SHA256
481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469
-
SHA512
a38c4d9576e6f15341900a1e75057c0e0cc078ee3b3a8ce529a158d494c3a8067f79ba90f85d8a8d591c497a96130a451395efbafd087fc347e29fbd9b57188d
-
SSDEEP
1536:XvvqylRHMH/Jtakr8KCxEhDYcEb08+D9V2vPscW:fvVa+krSxuDIvi9+Psb
Malware Config
Signatures
-
Njrat family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2424 powershell.exe 2816 powershell.exe 2768 powershell.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2476 netsh.exe -
Executes dropped EXE 2 IoCs
pid Process 2496 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe 2252 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe -
Loads dropped DLL 3 IoCs
pid Process 1984 taskeng.exe 1984 taskeng.exe 1984 taskeng.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2584 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2424 powershell.exe 2816 powershell.exe 2768 powershell.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeDebugPrivilege 2380 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe Token: SeDebugPrivilege 2424 powershell.exe Token: SeDebugPrivilege 2816 powershell.exe Token: SeDebugPrivilege 2768 powershell.exe Token: 33 2380 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe Token: SeIncBasePriorityPrivilege 2380 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe Token: 33 2380 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe Token: SeIncBasePriorityPrivilege 2380 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe Token: SeDebugPrivilege 2496 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe Token: 33 2380 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe Token: SeIncBasePriorityPrivilege 2380 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe Token: 33 2380 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe Token: SeIncBasePriorityPrivilege 2380 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe Token: 33 2380 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe Token: SeIncBasePriorityPrivilege 2380 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe Token: 33 2380 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe Token: SeIncBasePriorityPrivilege 2380 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe Token: 33 2380 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe Token: SeIncBasePriorityPrivilege 2380 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe Token: 33 2380 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe Token: SeIncBasePriorityPrivilege 2380 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe Token: 33 2380 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe Token: SeIncBasePriorityPrivilege 2380 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe Token: 33 2380 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe Token: SeIncBasePriorityPrivilege 2380 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe Token: SeDebugPrivilege 2252 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe Token: 33 2380 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe Token: SeIncBasePriorityPrivilege 2380 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe Token: 33 2380 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe Token: SeIncBasePriorityPrivilege 2380 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe Token: 33 2380 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe Token: SeIncBasePriorityPrivilege 2380 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2424 2380 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe 31 PID 2380 wrote to memory of 2424 2380 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe 31 PID 2380 wrote to memory of 2424 2380 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe 31 PID 2380 wrote to memory of 2816 2380 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe 33 PID 2380 wrote to memory of 2816 2380 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe 33 PID 2380 wrote to memory of 2816 2380 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe 33 PID 2380 wrote to memory of 2768 2380 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe 35 PID 2380 wrote to memory of 2768 2380 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe 35 PID 2380 wrote to memory of 2768 2380 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe 35 PID 2380 wrote to memory of 2584 2380 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe 37 PID 2380 wrote to memory of 2584 2380 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe 37 PID 2380 wrote to memory of 2584 2380 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe 37 PID 2380 wrote to memory of 2476 2380 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe 39 PID 2380 wrote to memory of 2476 2380 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe 39 PID 2380 wrote to memory of 2476 2380 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe 39 PID 1984 wrote to memory of 2496 1984 taskeng.exe 43 PID 1984 wrote to memory of 2496 1984 taskeng.exe 43 PID 1984 wrote to memory of 2496 1984 taskeng.exe 43 PID 1984 wrote to memory of 2252 1984 taskeng.exe 44 PID 1984 wrote to memory of 2252 1984 taskeng.exe 44 PID 1984 wrote to memory of 2252 1984 taskeng.exe 44 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe"C:\Users\Admin\AppData\Local\Temp\481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N" /tr "C:\ProgramData\481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2584
-
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe" "481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe" ENABLE2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2476
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {3BC7D728-6FF5-4EE8-8FB2-3CCB10E9B661} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\ProgramData\481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exeC:\ProgramData\481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2496
-
-
C:\ProgramData\481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exeC:\ProgramData\481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2252
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD530bf3d2c07b0615511a3ad647bd75e62
SHA13c7f82d777cf6bdfb024ff787a0e41dc27ff3e16
SHA256fcd9f17c325fdec04f86bff064f4a18aa400bd0eff7ab9df5cbfeecf14a8fb35
SHA51205d1217c77d18ebe6094b8b9a14f241c9e895d7a450a2a96108d70c6a9733e45118192b87d4d0a0b035fbd4222cae83ce539f022725ac5a726b1d232f1c31893
-
Filesize
56KB
MD54b6b9b9078efdea1d767e1bb8076e570
SHA12cefdc00441bab34f9026172fc4d19c15059b5c5
SHA256481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469
SHA512a38c4d9576e6f15341900a1e75057c0e0cc078ee3b3a8ce529a158d494c3a8067f79ba90f85d8a8d591c497a96130a451395efbafd087fc347e29fbd9b57188d