Overview
overview
10Static
static
10d4f7e0c033...35.exe
windows7-x64
10d4f7e0c033...35.exe
windows10-2004-x64
10d57a15943a...b8.exe
windows7-x64
10d57a15943a...b8.exe
windows10-2004-x64
10d5b7e88e91...31.exe
windows7-x64
5d5b7e88e91...31.exe
windows10-2004-x64
5d5b9cbc990...bf.exe
windows7-x64
7d5b9cbc990...bf.exe
windows10-2004-x64
7d5bce0b9b1...56.exe
windows7-x64
10d5bce0b9b1...56.exe
windows10-2004-x64
10d5fc43e4e1...1f.exe
windows7-x64
1d5fc43e4e1...1f.exe
windows10-2004-x64
1d61876dded...d3.exe
windows7-x64
10d61876dded...d3.exe
windows10-2004-x64
10d61b23d4ac...e0.exe
windows7-x64
10d61b23d4ac...e0.exe
windows10-2004-x64
10d690267038...3a.exe
windows7-x64
8d690267038...3a.exe
windows10-2004-x64
8d6995ab53a...3c.exe
windows7-x64
10d6995ab53a...3c.exe
windows10-2004-x64
10d6a9816b0d...9f.exe
windows7-x64
1d6a9816b0d...9f.exe
windows10-2004-x64
1d6e2e28870...ca.exe
windows7-x64
10d6e2e28870...ca.exe
windows10-2004-x64
10d70550d5d4...cd.exe
windows7-x64
10d70550d5d4...cd.exe
windows10-2004-x64
10d72c4b8c14...db.exe
windows7-x64
7d72c4b8c14...db.exe
windows10-2004-x64
7d735d6b2f3...86.exe
windows7-x64
10d735d6b2f3...86.exe
windows10-2004-x64
10d7508b0790...b3.exe
windows7-x64
10d7508b0790...b3.exe
windows10-2004-x64
10Analysis
-
max time kernel
150s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22/03/2025, 06:17
Behavioral task
behavioral1
Sample
d4f7e0c033fa7006a593674e3052cc35.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
d4f7e0c033fa7006a593674e3052cc35.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral3
Sample
d57a15943ae8a9e653d5a6c6870271b8.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
d57a15943ae8a9e653d5a6c6870271b8.exe
Resource
win10v2004-20250313-en
Behavioral task
behavioral5
Sample
d5b7e88e919915c58afbaad1d7cb2531.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
d5b7e88e919915c58afbaad1d7cb2531.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral7
Sample
d5b9cbc990cc88135ff80a41945ea3c940b8726e286812fbf402dbf5f2f66bbf.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
d5b9cbc990cc88135ff80a41945ea3c940b8726e286812fbf402dbf5f2f66bbf.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral9
Sample
d5bce0b9b1bfbe56a03cf54d9beb1a2a2e485beccb72393148e209ae63fb8556.exe
Resource
win7-20240729-en
Behavioral task
behavioral10
Sample
d5bce0b9b1bfbe56a03cf54d9beb1a2a2e485beccb72393148e209ae63fb8556.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral11
Sample
d5fc43e4e1fb229c3f946ac0417a0a630b0809b33a2f1bacc7b81f45006fbf1f.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
d5fc43e4e1fb229c3f946ac0417a0a630b0809b33a2f1bacc7b81f45006fbf1f.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral13
Sample
d61876ddede62df51f22178f3f3810d3.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
d61876ddede62df51f22178f3f3810d3.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral15
Sample
d61b23d4acf185dc6322a40c7f0f56e0.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
d61b23d4acf185dc6322a40c7f0f56e0.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral17
Sample
d690267038d2a718d56558e839b2613a.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
d690267038d2a718d56558e839b2613a.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral19
Sample
d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral21
Sample
d6a9816b0df03fee5229e490ff3bfa2a016c0eeb9658b09fd6538a34e469579f.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
d6a9816b0df03fee5229e490ff3bfa2a016c0eeb9658b09fd6538a34e469579f.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral23
Sample
d6e2e288705c6ca37ed2968b4ff7e7ca.exe
Resource
win7-20241010-en
Behavioral task
behavioral24
Sample
d6e2e288705c6ca37ed2968b4ff7e7ca.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral25
Sample
d70550d5d46716704be759d325b3a8f0047905a4f170abe251491f13b3a563cd.exe
Resource
win7-20241010-en
Behavioral task
behavioral26
Sample
d70550d5d46716704be759d325b3a8f0047905a4f170abe251491f13b3a563cd.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral27
Sample
d72c4b8c14b424737ffaaef76a9e591144b983e79322541f28ea06b4436e42db.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
d72c4b8c14b424737ffaaef76a9e591144b983e79322541f28ea06b4436e42db.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral29
Sample
d735d6b2f34e9a7cd2604d3036ac8486.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
d735d6b2f34e9a7cd2604d3036ac8486.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral31
Sample
d7508b07903325957294ebdcb89bd5b3.exe
Resource
win7-20241023-en
Behavioral task
behavioral32
Sample
d7508b07903325957294ebdcb89bd5b3.exe
Resource
win10v2004-20250314-en
General
-
Target
d61b23d4acf185dc6322a40c7f0f56e0.exe
-
Size
23KB
-
MD5
d61b23d4acf185dc6322a40c7f0f56e0
-
SHA1
90f6f4fa60866f3704511f12b6453e4104572336
-
SHA256
d7322f0f7be2eee421ed79fd2be0d8a01d38b0b8663b6c6a1eb29afe4d63f6e0
-
SHA512
a72d51948bae56df0bab442b5b8a8e04f8eba03cb102a9962cd5582830af157d961844d2918390dc1ee74fb6814996ccd76ba4ac23a57d0cd6a8c2db11562e86
-
SSDEEP
384:rweXCQIreJig/8Z7SS1fEBpng6tgL2IBPZVmRvR6JZlbw8hqIusZzZuf:MLq411eRpcnuf
Malware Config
Extracted
njrat
0.7d
HacKed
xxlxali.ddns.net:1177
0f281b12f603c40d203a8a7911c030da
-
reg_key
0f281b12f603c40d203a8a7911c030da
-
splitter
|'|'|
Signatures
-
Njrat family
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2848 netsh.exe -
Executes dropped EXE 1 IoCs
pid Process 1100 server.exe -
Loads dropped DLL 1 IoCs
pid Process 1784 d61b23d4acf185dc6322a40c7f0f56e0.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\0f281b12f603c40d203a8a7911c030da = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\0f281b12f603c40d203a8a7911c030da = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d61b23d4acf185dc6322a40c7f0f56e0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 1100 server.exe Token: 33 1100 server.exe Token: SeIncBasePriorityPrivilege 1100 server.exe Token: 33 1100 server.exe Token: SeIncBasePriorityPrivilege 1100 server.exe Token: 33 1100 server.exe Token: SeIncBasePriorityPrivilege 1100 server.exe Token: 33 1100 server.exe Token: SeIncBasePriorityPrivilege 1100 server.exe Token: 33 1100 server.exe Token: SeIncBasePriorityPrivilege 1100 server.exe Token: 33 1100 server.exe Token: SeIncBasePriorityPrivilege 1100 server.exe Token: 33 1100 server.exe Token: SeIncBasePriorityPrivilege 1100 server.exe Token: 33 1100 server.exe Token: SeIncBasePriorityPrivilege 1100 server.exe Token: 33 1100 server.exe Token: SeIncBasePriorityPrivilege 1100 server.exe Token: 33 1100 server.exe Token: SeIncBasePriorityPrivilege 1100 server.exe Token: 33 1100 server.exe Token: SeIncBasePriorityPrivilege 1100 server.exe Token: 33 1100 server.exe Token: SeIncBasePriorityPrivilege 1100 server.exe Token: 33 1100 server.exe Token: SeIncBasePriorityPrivilege 1100 server.exe Token: 33 1100 server.exe Token: SeIncBasePriorityPrivilege 1100 server.exe Token: 33 1100 server.exe Token: SeIncBasePriorityPrivilege 1100 server.exe Token: 33 1100 server.exe Token: SeIncBasePriorityPrivilege 1100 server.exe Token: 33 1100 server.exe Token: SeIncBasePriorityPrivilege 1100 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1784 wrote to memory of 1100 1784 d61b23d4acf185dc6322a40c7f0f56e0.exe 30 PID 1784 wrote to memory of 1100 1784 d61b23d4acf185dc6322a40c7f0f56e0.exe 30 PID 1784 wrote to memory of 1100 1784 d61b23d4acf185dc6322a40c7f0f56e0.exe 30 PID 1784 wrote to memory of 1100 1784 d61b23d4acf185dc6322a40c7f0f56e0.exe 30 PID 1100 wrote to memory of 2848 1100 server.exe 32 PID 1100 wrote to memory of 2848 1100 server.exe 32 PID 1100 wrote to memory of 2848 1100 server.exe 32 PID 1100 wrote to memory of 2848 1100 server.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\d61b23d4acf185dc6322a40c7f0f56e0.exe"C:\Users\Admin\AppData\Local\Temp\d61b23d4acf185dc6322a40c7f0f56e0.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2848
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD5d61b23d4acf185dc6322a40c7f0f56e0
SHA190f6f4fa60866f3704511f12b6453e4104572336
SHA256d7322f0f7be2eee421ed79fd2be0d8a01d38b0b8663b6c6a1eb29afe4d63f6e0
SHA512a72d51948bae56df0bab442b5b8a8e04f8eba03cb102a9962cd5582830af157d961844d2918390dc1ee74fb6814996ccd76ba4ac23a57d0cd6a8c2db11562e86