Analysis
-
max time kernel
151s -
max time network
10s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-12-2020 13:36
Static task
static1
Behavioral task
behavioral1
Sample
0eac2b7a8bc6e887fd9b8e0a8371f755.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
0eac2b7a8bc6e887fd9b8e0a8371f755.exe
Resource
win10v20201028
General
-
Target
0eac2b7a8bc6e887fd9b8e0a8371f755.exe
-
Size
23KB
-
MD5
0eac2b7a8bc6e887fd9b8e0a8371f755
-
SHA1
f507b89f8c3e335f548216a9ce9d6dd778451b40
-
SHA256
1299622eef5b6945e51617274abbade793a7de8cd2fb21d5c3830aeb6e32ee73
-
SHA512
400c0bd0554aeac55fc65c3f2dd9849b1515f621d53079d4fd43eaa8cfa4c9c01adf0fbd9b8da5456a03c97cf34ebb1f1ffde7913bac7514778d43ad06dda520
Malware Config
Extracted
njrat
0.7d
word
127.0.0.1:5552
423f911702a6d9f50203acbcc3b5f95e
-
reg_key
423f911702a6d9f50203acbcc3b5f95e
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
world.exepid process 1344 world.exe -
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 1 IoCs
Processes:
0eac2b7a8bc6e887fd9b8e0a8371f755.exepid process 1684 0eac2b7a8bc6e887fd9b8e0a8371f755.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
world.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\423f911702a6d9f50203acbcc3b5f95e = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\world.exe\" .." world.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\423f911702a6d9f50203acbcc3b5f95e = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\world.exe\" .." world.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
world.exedescription pid process Token: SeDebugPrivilege 1344 world.exe Token: 33 1344 world.exe Token: SeIncBasePriorityPrivilege 1344 world.exe Token: 33 1344 world.exe Token: SeIncBasePriorityPrivilege 1344 world.exe Token: 33 1344 world.exe Token: SeIncBasePriorityPrivilege 1344 world.exe Token: 33 1344 world.exe Token: SeIncBasePriorityPrivilege 1344 world.exe Token: 33 1344 world.exe Token: SeIncBasePriorityPrivilege 1344 world.exe Token: 33 1344 world.exe Token: SeIncBasePriorityPrivilege 1344 world.exe Token: 33 1344 world.exe Token: SeIncBasePriorityPrivilege 1344 world.exe Token: 33 1344 world.exe Token: SeIncBasePriorityPrivilege 1344 world.exe Token: 33 1344 world.exe Token: SeIncBasePriorityPrivilege 1344 world.exe Token: 33 1344 world.exe Token: SeIncBasePriorityPrivilege 1344 world.exe Token: 33 1344 world.exe Token: SeIncBasePriorityPrivilege 1344 world.exe Token: 33 1344 world.exe Token: SeIncBasePriorityPrivilege 1344 world.exe Token: 33 1344 world.exe Token: SeIncBasePriorityPrivilege 1344 world.exe Token: 33 1344 world.exe Token: SeIncBasePriorityPrivilege 1344 world.exe Token: 33 1344 world.exe Token: SeIncBasePriorityPrivilege 1344 world.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
0eac2b7a8bc6e887fd9b8e0a8371f755.exeworld.exedescription pid process target process PID 1684 wrote to memory of 1344 1684 0eac2b7a8bc6e887fd9b8e0a8371f755.exe world.exe PID 1684 wrote to memory of 1344 1684 0eac2b7a8bc6e887fd9b8e0a8371f755.exe world.exe PID 1684 wrote to memory of 1344 1684 0eac2b7a8bc6e887fd9b8e0a8371f755.exe world.exe PID 1684 wrote to memory of 1344 1684 0eac2b7a8bc6e887fd9b8e0a8371f755.exe world.exe PID 1344 wrote to memory of 864 1344 world.exe netsh.exe PID 1344 wrote to memory of 864 1344 world.exe netsh.exe PID 1344 wrote to memory of 864 1344 world.exe netsh.exe PID 1344 wrote to memory of 864 1344 world.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0eac2b7a8bc6e887fd9b8e0a8371f755.exe"C:\Users\Admin\AppData\Local\Temp\0eac2b7a8bc6e887fd9b8e0a8371f755.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\world.exe"C:\Users\Admin\AppData\Local\Temp\world.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\world.exe" "world.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\world.exeMD5
0eac2b7a8bc6e887fd9b8e0a8371f755
SHA1f507b89f8c3e335f548216a9ce9d6dd778451b40
SHA2561299622eef5b6945e51617274abbade793a7de8cd2fb21d5c3830aeb6e32ee73
SHA512400c0bd0554aeac55fc65c3f2dd9849b1515f621d53079d4fd43eaa8cfa4c9c01adf0fbd9b8da5456a03c97cf34ebb1f1ffde7913bac7514778d43ad06dda520
-
C:\Users\Admin\AppData\Local\Temp\world.exeMD5
0eac2b7a8bc6e887fd9b8e0a8371f755
SHA1f507b89f8c3e335f548216a9ce9d6dd778451b40
SHA2561299622eef5b6945e51617274abbade793a7de8cd2fb21d5c3830aeb6e32ee73
SHA512400c0bd0554aeac55fc65c3f2dd9849b1515f621d53079d4fd43eaa8cfa4c9c01adf0fbd9b8da5456a03c97cf34ebb1f1ffde7913bac7514778d43ad06dda520
-
\Users\Admin\AppData\Local\Temp\world.exeMD5
0eac2b7a8bc6e887fd9b8e0a8371f755
SHA1f507b89f8c3e335f548216a9ce9d6dd778451b40
SHA2561299622eef5b6945e51617274abbade793a7de8cd2fb21d5c3830aeb6e32ee73
SHA512400c0bd0554aeac55fc65c3f2dd9849b1515f621d53079d4fd43eaa8cfa4c9c01adf0fbd9b8da5456a03c97cf34ebb1f1ffde7913bac7514778d43ad06dda520
-
memory/864-6-0x0000000000000000-mapping.dmp
-
memory/1344-3-0x0000000000000000-mapping.dmp