Analysis
-
max time kernel
151s -
max time network
145s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-12-2020 14:51
Static task
static1
Behavioral task
behavioral1
Sample
60692010ec5f41a874f5bcb5751b18e3.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
60692010ec5f41a874f5bcb5751b18e3.exe
Resource
win10v20201028
General
-
Target
60692010ec5f41a874f5bcb5751b18e3.exe
-
Size
23KB
-
MD5
60692010ec5f41a874f5bcb5751b18e3
-
SHA1
e87357fdfe5e53c277505358a0f4a4e13d029a79
-
SHA256
8610bfb6154abe78bd6f16ee1405cf372fef86bfbc746573b7df82448b2668f7
-
SHA512
dfba57e59a19ccac913ab8516e77a5c1ca3378ee3f09118c446b349e52a7771a2fd9b949c636ff313ba8f596ea1758e95778b3126e508da4dcad74539cb553de
Malware Config
Extracted
njrat
0.7d
Hacker
trogen123.ddns.net:1177
f3ca647d31447f55fb8ca1d235459281
-
reg_key
f3ca647d31447f55fb8ca1d235459281
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
system.exepid process 1516 system.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
system.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f3ca647d31447f55fb8ca1d235459281.exe system.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f3ca647d31447f55fb8ca1d235459281.exe system.exe -
Loads dropped DLL 1 IoCs
Processes:
60692010ec5f41a874f5bcb5751b18e3.exepid process 596 60692010ec5f41a874f5bcb5751b18e3.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
system.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\f3ca647d31447f55fb8ca1d235459281 = "\"C:\\Users\\Admin\\AppData\\Roaming\\system.exe\" .." system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\f3ca647d31447f55fb8ca1d235459281 = "\"C:\\Users\\Admin\\AppData\\Roaming\\system.exe\" .." system.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
system.exedescription pid process Token: SeDebugPrivilege 1516 system.exe Token: 33 1516 system.exe Token: SeIncBasePriorityPrivilege 1516 system.exe Token: 33 1516 system.exe Token: SeIncBasePriorityPrivilege 1516 system.exe Token: 33 1516 system.exe Token: SeIncBasePriorityPrivilege 1516 system.exe Token: 33 1516 system.exe Token: SeIncBasePriorityPrivilege 1516 system.exe Token: 33 1516 system.exe Token: SeIncBasePriorityPrivilege 1516 system.exe Token: 33 1516 system.exe Token: SeIncBasePriorityPrivilege 1516 system.exe Token: 33 1516 system.exe Token: SeIncBasePriorityPrivilege 1516 system.exe Token: 33 1516 system.exe Token: SeIncBasePriorityPrivilege 1516 system.exe Token: 33 1516 system.exe Token: SeIncBasePriorityPrivilege 1516 system.exe Token: 33 1516 system.exe Token: SeIncBasePriorityPrivilege 1516 system.exe Token: 33 1516 system.exe Token: SeIncBasePriorityPrivilege 1516 system.exe Token: 33 1516 system.exe Token: SeIncBasePriorityPrivilege 1516 system.exe Token: 33 1516 system.exe Token: SeIncBasePriorityPrivilege 1516 system.exe Token: 33 1516 system.exe Token: SeIncBasePriorityPrivilege 1516 system.exe Token: 33 1516 system.exe Token: SeIncBasePriorityPrivilege 1516 system.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
60692010ec5f41a874f5bcb5751b18e3.exesystem.exedescription pid process target process PID 596 wrote to memory of 1516 596 60692010ec5f41a874f5bcb5751b18e3.exe system.exe PID 596 wrote to memory of 1516 596 60692010ec5f41a874f5bcb5751b18e3.exe system.exe PID 596 wrote to memory of 1516 596 60692010ec5f41a874f5bcb5751b18e3.exe system.exe PID 596 wrote to memory of 1516 596 60692010ec5f41a874f5bcb5751b18e3.exe system.exe PID 1516 wrote to memory of 840 1516 system.exe netsh.exe PID 1516 wrote to memory of 840 1516 system.exe netsh.exe PID 1516 wrote to memory of 840 1516 system.exe netsh.exe PID 1516 wrote to memory of 840 1516 system.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\60692010ec5f41a874f5bcb5751b18e3.exe"C:\Users\Admin\AppData\Local\Temp\60692010ec5f41a874f5bcb5751b18e3.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\system.exe"C:\Users\Admin\AppData\Roaming\system.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\system.exe" "system.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\system.exeMD5
60692010ec5f41a874f5bcb5751b18e3
SHA1e87357fdfe5e53c277505358a0f4a4e13d029a79
SHA2568610bfb6154abe78bd6f16ee1405cf372fef86bfbc746573b7df82448b2668f7
SHA512dfba57e59a19ccac913ab8516e77a5c1ca3378ee3f09118c446b349e52a7771a2fd9b949c636ff313ba8f596ea1758e95778b3126e508da4dcad74539cb553de
-
C:\Users\Admin\AppData\Roaming\system.exeMD5
60692010ec5f41a874f5bcb5751b18e3
SHA1e87357fdfe5e53c277505358a0f4a4e13d029a79
SHA2568610bfb6154abe78bd6f16ee1405cf372fef86bfbc746573b7df82448b2668f7
SHA512dfba57e59a19ccac913ab8516e77a5c1ca3378ee3f09118c446b349e52a7771a2fd9b949c636ff313ba8f596ea1758e95778b3126e508da4dcad74539cb553de
-
\Users\Admin\AppData\Roaming\system.exeMD5
60692010ec5f41a874f5bcb5751b18e3
SHA1e87357fdfe5e53c277505358a0f4a4e13d029a79
SHA2568610bfb6154abe78bd6f16ee1405cf372fef86bfbc746573b7df82448b2668f7
SHA512dfba57e59a19ccac913ab8516e77a5c1ca3378ee3f09118c446b349e52a7771a2fd9b949c636ff313ba8f596ea1758e95778b3126e508da4dcad74539cb553de
-
memory/840-6-0x0000000000000000-mapping.dmp
-
memory/1516-3-0x0000000000000000-mapping.dmp