Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-ltsc_2021_x64 -
resource
win10ltsc2021-20250314-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system -
submitted
22/03/2025, 23:19
Behavioral task
behavioral1
Sample
Payload.exe
Resource
win10ltsc2021-20250314-en
windows10-ltsc_2021-x64
21 signatures
150 seconds
General
-
Target
Payload.exe
-
Size
54KB
-
MD5
81e043b5ee1e8931c5ac4d6f79457590
-
SHA1
616f70b905d99605586de3fa2997135812f9faa1
-
SHA256
15e516db2e5992ec2ab10969b8b0fef5f86d37f3720cb3a738011fa3ca56a622
-
SHA512
e4933e3897f65a54b25f8e97084ab045b96b6645cb3a3ccdab80c0fd29dffdbf5f53a84b4a62c74d5190a3515b01226843b1f18da8f8768e667f7e97a9ee3e64
-
SSDEEP
1536:r3EVGt9gmgpDGxJSMGFWQcGD8X3xIEpm3g:QVGtGmCGxJSMGFWQnD8X3xIEpm
Malware Config
Signatures
-
Njrat family
-
Stops running service(s) 4 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Control Panel\International\Geo\Nation Payload.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\63c41129dcdd177a39b9286624eb2f23.exe Payload.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\63c41129dcdd177a39b9286624eb2f23.exe Payload.exe -
Executes dropped EXE 2 IoCs
pid Process 2864 5ffa6af9608144eea1de1b1a62e78382.exe 4416 ffcc0c9dfb324e109b3fe57e011cb31b.exe -
pid Process 4280 powershell.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: Payload.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 Payload.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3540 sc.exe 3104 sc.exe 3140 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Payload.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Kills process with taskkill 1 IoCs
pid Process 1212 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe 3592 Payload.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 332 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeDebugPrivilege 3592 Payload.exe Token: SeDebugPrivilege 4280 powershell.exe Token: SeIncreaseQuotaPrivilege 4280 powershell.exe Token: SeSecurityPrivilege 4280 powershell.exe Token: SeTakeOwnershipPrivilege 4280 powershell.exe Token: SeLoadDriverPrivilege 4280 powershell.exe Token: SeSystemProfilePrivilege 4280 powershell.exe Token: SeSystemtimePrivilege 4280 powershell.exe Token: SeProfSingleProcessPrivilege 4280 powershell.exe Token: SeIncBasePriorityPrivilege 4280 powershell.exe Token: SeCreatePagefilePrivilege 4280 powershell.exe Token: SeBackupPrivilege 4280 powershell.exe Token: SeRestorePrivilege 4280 powershell.exe Token: SeShutdownPrivilege 4280 powershell.exe Token: SeDebugPrivilege 4280 powershell.exe Token: SeSystemEnvironmentPrivilege 4280 powershell.exe Token: SeRemoteShutdownPrivilege 4280 powershell.exe Token: SeUndockPrivilege 4280 powershell.exe Token: SeManageVolumePrivilege 4280 powershell.exe Token: 33 4280 powershell.exe Token: 34 4280 powershell.exe Token: 35 4280 powershell.exe Token: 36 4280 powershell.exe Token: SeDebugPrivilege 1212 taskkill.exe Token: 33 3592 Payload.exe Token: SeIncBasePriorityPrivilege 3592 Payload.exe Token: 33 3592 Payload.exe Token: SeIncBasePriorityPrivilege 3592 Payload.exe Token: 33 3592 Payload.exe Token: SeIncBasePriorityPrivilege 3592 Payload.exe Token: SeDebugPrivilege 332 taskmgr.exe Token: SeSystemProfilePrivilege 332 taskmgr.exe Token: SeCreateGlobalPrivilege 332 taskmgr.exe Token: 33 3592 Payload.exe Token: SeIncBasePriorityPrivilege 3592 Payload.exe Token: 33 3592 Payload.exe Token: SeIncBasePriorityPrivilege 3592 Payload.exe Token: 33 3592 Payload.exe Token: SeIncBasePriorityPrivilege 3592 Payload.exe Token: 33 3592 Payload.exe Token: SeIncBasePriorityPrivilege 3592 Payload.exe Token: 33 3592 Payload.exe Token: SeIncBasePriorityPrivilege 3592 Payload.exe Token: 33 3592 Payload.exe Token: SeIncBasePriorityPrivilege 3592 Payload.exe Token: 33 3592 Payload.exe Token: SeIncBasePriorityPrivilege 3592 Payload.exe Token: 33 3592 Payload.exe Token: SeIncBasePriorityPrivilege 3592 Payload.exe Token: 33 3592 Payload.exe Token: SeIncBasePriorityPrivilege 3592 Payload.exe Token: 33 2860 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2860 AUDIODG.EXE Token: 33 3592 Payload.exe Token: SeIncBasePriorityPrivilege 3592 Payload.exe Token: 33 3592 Payload.exe Token: SeIncBasePriorityPrivilege 3592 Payload.exe Token: 33 3592 Payload.exe Token: SeIncBasePriorityPrivilege 3592 Payload.exe Token: 33 3592 Payload.exe Token: SeIncBasePriorityPrivilege 3592 Payload.exe Token: 33 3592 Payload.exe Token: SeIncBasePriorityPrivilege 3592 Payload.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe 332 taskmgr.exe -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 3592 wrote to memory of 3056 3592 Payload.exe 82 PID 3592 wrote to memory of 3056 3592 Payload.exe 82 PID 3592 wrote to memory of 3056 3592 Payload.exe 82 PID 3592 wrote to memory of 580 3592 Payload.exe 84 PID 3592 wrote to memory of 580 3592 Payload.exe 84 PID 3592 wrote to memory of 580 3592 Payload.exe 84 PID 580 wrote to memory of 4280 580 cmd.exe 86 PID 580 wrote to memory of 4280 580 cmd.exe 86 PID 580 wrote to memory of 4280 580 cmd.exe 86 PID 3592 wrote to memory of 2620 3592 Payload.exe 90 PID 3592 wrote to memory of 2620 3592 Payload.exe 90 PID 3592 wrote to memory of 2620 3592 Payload.exe 90 PID 2620 wrote to memory of 3140 2620 cmd.exe 92 PID 2620 wrote to memory of 3140 2620 cmd.exe 92 PID 2620 wrote to memory of 3140 2620 cmd.exe 92 PID 3592 wrote to memory of 3096 3592 Payload.exe 93 PID 3592 wrote to memory of 3096 3592 Payload.exe 93 PID 3592 wrote to memory of 3096 3592 Payload.exe 93 PID 3096 wrote to memory of 3540 3096 cmd.exe 96 PID 3096 wrote to memory of 3540 3096 cmd.exe 96 PID 3096 wrote to memory of 3540 3096 cmd.exe 96 PID 3592 wrote to memory of 3448 3592 Payload.exe 97 PID 3592 wrote to memory of 3448 3592 Payload.exe 97 PID 3592 wrote to memory of 3448 3592 Payload.exe 97 PID 3448 wrote to memory of 3104 3448 cmd.exe 99 PID 3448 wrote to memory of 3104 3448 cmd.exe 99 PID 3448 wrote to memory of 3104 3448 cmd.exe 99 PID 3592 wrote to memory of 3904 3592 Payload.exe 100 PID 3592 wrote to memory of 3904 3592 Payload.exe 100 PID 3592 wrote to memory of 3904 3592 Payload.exe 100 PID 3904 wrote to memory of 1212 3904 cmd.exe 102 PID 3904 wrote to memory of 1212 3904 cmd.exe 102 PID 3904 wrote to memory of 1212 3904 cmd.exe 102 PID 3592 wrote to memory of 2864 3592 Payload.exe 107 PID 3592 wrote to memory of 2864 3592 Payload.exe 107 PID 3592 wrote to memory of 4416 3592 Payload.exe 109 PID 3592 wrote to memory of 4416 3592 Payload.exe 109 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 3056 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payload.exe"C:\Users\Admin\AppData\Local\Temp\Payload.exe"1⤵
- Checks computer location settings
- Drops startup file
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Users\Admin\AppData\Local\Temp\Payload.exe"2⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3056
-
-
C:\Windows\SysWOW64\cmd.execmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4280
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc query windefend2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\sc.exesc query windefend3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3140
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc stop windefend2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\sc.exesc stop windefend3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3540
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc delete windefend2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\SysWOW64\sc.exesc delete windefend3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3104
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im Wireshark.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Wireshark.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1212
-
-
-
C:\Users\Admin\AppData\Local\Temp\5ffa6af9608144eea1de1b1a62e78382.exe"C:\Users\Admin\AppData\Local\Temp\5ffa6af9608144eea1de1b1a62e78382.exe"2⤵
- Executes dropped EXE
PID:2864
-
-
C:\Users\Admin\AppData\Local\Temp\ffcc0c9dfb324e109b3fe57e011cb31b.exe"C:\Users\Admin\AppData\Local\Temp\ffcc0c9dfb324e109b3fe57e011cb31b.exe"2⤵
- Executes dropped EXE
PID:4416
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:332
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x488 0x3c41⤵
- Suspicious use of AdjustPrivilegeToken
PID:2860
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
1Service Execution
1Persistence
Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
844KB
MD58cac1595b184f66d7a122af38d5dfe71
SHA1e0bc0162472edf77a05134e77b540663ac050ab6
SHA25600201a2fd4916193c9c7bbba7be6a77fa5876085480b67da4e1228fd8b23ae5f
SHA51288d3753ce73bbf95ee1fdbdff21eb9331e59ca92cfa5c489f141c07dc90871e3032e331c9dd77b1fec4522add3ac25c51d5c699d7801a5343dd2ae447c60f8f8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82