Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
17-06-2024 09:23
Static task
static1
Behavioral task
behavioral1
Sample
Requirements.scr
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Requirements.scr
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
Requirements.docx
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
Requirements.docx
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
nj.exe
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
nj.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
rv.exe
Resource
win7-20240611-en
Behavioral task
behavioral8
Sample
rv.exe
Resource
win10v2004-20240611-en
General
-
Target
nj.exe
-
Size
459KB
-
MD5
03c4bd9a3cb44bf49f329fe04e93f537
-
SHA1
257dfb6782bc40e9878ada68f350fd8cce2179fb
-
SHA256
20c1815d9eecee28c6b86ac3e302756c8e4dbc5963d7d8df431e86f5d1dc41e0
-
SHA512
c91666311b655e3f9c213f3aa9d1d72c7610bfda227b5da0d8c5f17f56c16357f5f9224e831fe77f23ef66c8391a4a5e416d9b8f78dcc477a82a84fe5569c97c
-
SSDEEP
384:b16KdcoFfsOxQrSuxY8OR1XOg9rXredQ0xtX76i7eaFcwaekfLpOhqVNOXu:ddcoFLxQrS0Yv5OaXyQeV6i7fcB5fOu
Malware Config
Extracted
njrat
0.7d
HacKed
awaisawan.zapto.org:5555
3484533e95ad86b4adeee88c1907dded
-
reg_key
3484533e95ad86b4adeee88c1907dded
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2908 netsh.exe -
Drops startup file 2 IoCs
Processes:
svchsot.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3484533e95ad86b4adeee88c1907dded.exe svchsot.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3484533e95ad86b4adeee88c1907dded.exe svchsot.exe -
Executes dropped EXE 1 IoCs
Processes:
svchsot.exepid process 2688 svchsot.exe -
Loads dropped DLL 1 IoCs
Processes:
nj.exepid process 1420 nj.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchsot.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\3484533e95ad86b4adeee88c1907dded = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchsot.exe\" .." svchsot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\3484533e95ad86b4adeee88c1907dded = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchsot.exe\" .." svchsot.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
svchsot.exedescription pid process Token: SeDebugPrivilege 2688 svchsot.exe Token: 33 2688 svchsot.exe Token: SeIncBasePriorityPrivilege 2688 svchsot.exe Token: 33 2688 svchsot.exe Token: SeIncBasePriorityPrivilege 2688 svchsot.exe Token: 33 2688 svchsot.exe Token: SeIncBasePriorityPrivilege 2688 svchsot.exe Token: 33 2688 svchsot.exe Token: SeIncBasePriorityPrivilege 2688 svchsot.exe Token: 33 2688 svchsot.exe Token: SeIncBasePriorityPrivilege 2688 svchsot.exe Token: 33 2688 svchsot.exe Token: SeIncBasePriorityPrivilege 2688 svchsot.exe Token: 33 2688 svchsot.exe Token: SeIncBasePriorityPrivilege 2688 svchsot.exe Token: 33 2688 svchsot.exe Token: SeIncBasePriorityPrivilege 2688 svchsot.exe Token: 33 2688 svchsot.exe Token: SeIncBasePriorityPrivilege 2688 svchsot.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
nj.exesvchsot.exedescription pid process target process PID 1420 wrote to memory of 2688 1420 nj.exe svchsot.exe PID 1420 wrote to memory of 2688 1420 nj.exe svchsot.exe PID 1420 wrote to memory of 2688 1420 nj.exe svchsot.exe PID 1420 wrote to memory of 2688 1420 nj.exe svchsot.exe PID 2688 wrote to memory of 2908 2688 svchsot.exe netsh.exe PID 2688 wrote to memory of 2908 2688 svchsot.exe netsh.exe PID 2688 wrote to memory of 2908 2688 svchsot.exe netsh.exe PID 2688 wrote to memory of 2908 2688 svchsot.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\nj.exe"C:\Users\Admin\AppData\Local\Temp\nj.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchsot.exe"C:\Users\Admin\AppData\Local\Temp\svchsot.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchsot.exe" "svchsot.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\svchsot.exeFilesize
459KB
MD503c4bd9a3cb44bf49f329fe04e93f537
SHA1257dfb6782bc40e9878ada68f350fd8cce2179fb
SHA25620c1815d9eecee28c6b86ac3e302756c8e4dbc5963d7d8df431e86f5d1dc41e0
SHA512c91666311b655e3f9c213f3aa9d1d72c7610bfda227b5da0d8c5f17f56c16357f5f9224e831fe77f23ef66c8391a4a5e416d9b8f78dcc477a82a84fe5569c97c
-
memory/1420-0-0x000000007447E000-0x000000007447F000-memory.dmpFilesize
4KB
-
memory/1420-1-0x00000000010D0000-0x000000000114A000-memory.dmpFilesize
488KB
-
memory/1420-2-0x0000000000310000-0x000000000031C000-memory.dmpFilesize
48KB
-
memory/1420-3-0x0000000074470000-0x0000000074B5E000-memory.dmpFilesize
6.9MB
-
memory/1420-12-0x0000000074470000-0x0000000074B5E000-memory.dmpFilesize
6.9MB
-
memory/2688-11-0x0000000000E10000-0x0000000000E8A000-memory.dmpFilesize
488KB
-
memory/2688-13-0x0000000074470000-0x0000000074B5E000-memory.dmpFilesize
6.9MB
-
memory/2688-14-0x0000000074470000-0x0000000074B5E000-memory.dmpFilesize
6.9MB
-
memory/2688-15-0x0000000074470000-0x0000000074B5E000-memory.dmpFilesize
6.9MB
-
memory/2688-17-0x0000000074470000-0x0000000074B5E000-memory.dmpFilesize
6.9MB