Analysis
-
max time kernel
151s -
max time network
34s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-12-2020 16:28
Static task
static1
Behavioral task
behavioral1
Sample
c5e2d8b234f4c2b2db29eba11e18a75c.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
c5e2d8b234f4c2b2db29eba11e18a75c.exe
Resource
win10v20201028
General
-
Target
c5e2d8b234f4c2b2db29eba11e18a75c.exe
-
Size
388KB
-
MD5
c5e2d8b234f4c2b2db29eba11e18a75c
-
SHA1
6c88462bf8c577b1a6fc304f2724491736b56be5
-
SHA256
9f85eb5b1e7b261c9a7a1cd793badff334e84942ed652f09a0fc7d83008fe621
-
SHA512
dab93f487e09c14aaed8f32814d94dfbac9fa9e1d076d730337ab3379058b0bdd012a86219146010e6060eab77b654a8815208a0d027e1cbb3b25b62876f5fa7
Malware Config
Extracted
njrat
0.7d
HacKed
karamnaser321.ddns.net:1177
0518517d1f621a093c3997945c521862
-
reg_key
0518517d1f621a093c3997945c521862
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
LocalHqxEsTdCwp.exeserver.exepid process 1780 LocalHqxEsTdCwp.exe 1676 server.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0518517d1f621a093c3997945c521862.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0518517d1f621a093c3997945c521862.exe server.exe -
Loads dropped DLL 1 IoCs
Processes:
LocalHqxEsTdCwp.exepid process 1780 LocalHqxEsTdCwp.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\0518517d1f621a093c3997945c521862 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\0518517d1f621a093c3997945c521862 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 736 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1676 server.exe Token: 33 1676 server.exe Token: SeIncBasePriorityPrivilege 1676 server.exe Token: 33 1676 server.exe Token: SeIncBasePriorityPrivilege 1676 server.exe Token: 33 1676 server.exe Token: SeIncBasePriorityPrivilege 1676 server.exe Token: 33 1676 server.exe Token: SeIncBasePriorityPrivilege 1676 server.exe Token: 33 1676 server.exe Token: SeIncBasePriorityPrivilege 1676 server.exe Token: 33 1676 server.exe Token: SeIncBasePriorityPrivilege 1676 server.exe Token: 33 1676 server.exe Token: SeIncBasePriorityPrivilege 1676 server.exe Token: 33 1676 server.exe Token: SeIncBasePriorityPrivilege 1676 server.exe Token: 33 1676 server.exe Token: SeIncBasePriorityPrivilege 1676 server.exe Token: 33 1676 server.exe Token: SeIncBasePriorityPrivilege 1676 server.exe Token: 33 1676 server.exe Token: SeIncBasePriorityPrivilege 1676 server.exe Token: 33 1676 server.exe Token: SeIncBasePriorityPrivilege 1676 server.exe Token: 33 1676 server.exe Token: SeIncBasePriorityPrivilege 1676 server.exe Token: 33 1676 server.exe Token: SeIncBasePriorityPrivilege 1676 server.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 736 WINWORD.EXE 736 WINWORD.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
c5e2d8b234f4c2b2db29eba11e18a75c.exeLocalHqxEsTdCwp.exeWINWORD.EXEserver.exedescription pid process target process PID 1836 wrote to memory of 1780 1836 c5e2d8b234f4c2b2db29eba11e18a75c.exe LocalHqxEsTdCwp.exe PID 1836 wrote to memory of 1780 1836 c5e2d8b234f4c2b2db29eba11e18a75c.exe LocalHqxEsTdCwp.exe PID 1836 wrote to memory of 1780 1836 c5e2d8b234f4c2b2db29eba11e18a75c.exe LocalHqxEsTdCwp.exe PID 1836 wrote to memory of 1780 1836 c5e2d8b234f4c2b2db29eba11e18a75c.exe LocalHqxEsTdCwp.exe PID 1836 wrote to memory of 736 1836 c5e2d8b234f4c2b2db29eba11e18a75c.exe WINWORD.EXE PID 1836 wrote to memory of 736 1836 c5e2d8b234f4c2b2db29eba11e18a75c.exe WINWORD.EXE PID 1836 wrote to memory of 736 1836 c5e2d8b234f4c2b2db29eba11e18a75c.exe WINWORD.EXE PID 1836 wrote to memory of 736 1836 c5e2d8b234f4c2b2db29eba11e18a75c.exe WINWORD.EXE PID 1780 wrote to memory of 1676 1780 LocalHqxEsTdCwp.exe server.exe PID 1780 wrote to memory of 1676 1780 LocalHqxEsTdCwp.exe server.exe PID 1780 wrote to memory of 1676 1780 LocalHqxEsTdCwp.exe server.exe PID 1780 wrote to memory of 1676 1780 LocalHqxEsTdCwp.exe server.exe PID 736 wrote to memory of 780 736 WINWORD.EXE splwow64.exe PID 736 wrote to memory of 780 736 WINWORD.EXE splwow64.exe PID 736 wrote to memory of 780 736 WINWORD.EXE splwow64.exe PID 736 wrote to memory of 780 736 WINWORD.EXE splwow64.exe PID 1676 wrote to memory of 436 1676 server.exe netsh.exe PID 1676 wrote to memory of 436 1676 server.exe netsh.exe PID 1676 wrote to memory of 436 1676 server.exe netsh.exe PID 1676 wrote to memory of 436 1676 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5e2d8b234f4c2b2db29eba11e18a75c.exe"C:\Users\Admin\AppData\Local\Temp\c5e2d8b234f4c2b2db29eba11e18a75c.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\LocalHqxEsTdCwp.exe"C:\Users\Admin\AppData\LocalHqxEsTdCwp.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE4⤵
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\LocalVhJPsrdoQS.docx"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalHqxEsTdCwp.exeMD5
3c5d8b82a26ebfa52a7635f815315a71
SHA1effa029f17398bee9a9229b4bba7ce42c968f194
SHA25640e56583b337aa5a9cd070d40ac91ed2ec18ef8744a9bdc8cf2eb91d4a62019f
SHA512db199a6a846dacec2cd49eebdc5b6b79e26fc8266f7a7b167968240b23fdac25e678352ca4c1c5cf2c52c3f6feb429504ef23cd967376e044c742ded44b623ee
-
C:\Users\Admin\AppData\LocalHqxEsTdCwp.exeMD5
3c5d8b82a26ebfa52a7635f815315a71
SHA1effa029f17398bee9a9229b4bba7ce42c968f194
SHA25640e56583b337aa5a9cd070d40ac91ed2ec18ef8744a9bdc8cf2eb91d4a62019f
SHA512db199a6a846dacec2cd49eebdc5b6b79e26fc8266f7a7b167968240b23fdac25e678352ca4c1c5cf2c52c3f6feb429504ef23cd967376e044c742ded44b623ee
-
C:\Users\Admin\AppData\LocalVhJPsrdoQS.docxMD5
63c814344bb5edcac76c4f829c7f1dad
SHA177c3bd09de67bf2e0971a34a46a37cfc592ca5df
SHA256ddfc3ed056efa3d87bd76e49647815c92d22af8a18d41161af7577b6e3681869
SHA51258c4c6a616f1af40c52e131c5800adf58832eb975f17c291ae3d3c8826a02fe8e41492f5f0b91bdf0127994aa993d68eb766e0c486d8971b21c7b4ab8fa41de5
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
3c5d8b82a26ebfa52a7635f815315a71
SHA1effa029f17398bee9a9229b4bba7ce42c968f194
SHA25640e56583b337aa5a9cd070d40ac91ed2ec18ef8744a9bdc8cf2eb91d4a62019f
SHA512db199a6a846dacec2cd49eebdc5b6b79e26fc8266f7a7b167968240b23fdac25e678352ca4c1c5cf2c52c3f6feb429504ef23cd967376e044c742ded44b623ee
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
3c5d8b82a26ebfa52a7635f815315a71
SHA1effa029f17398bee9a9229b4bba7ce42c968f194
SHA25640e56583b337aa5a9cd070d40ac91ed2ec18ef8744a9bdc8cf2eb91d4a62019f
SHA512db199a6a846dacec2cd49eebdc5b6b79e26fc8266f7a7b167968240b23fdac25e678352ca4c1c5cf2c52c3f6feb429504ef23cd967376e044c742ded44b623ee
-
\Users\Admin\AppData\Local\Temp\server.exeMD5
3c5d8b82a26ebfa52a7635f815315a71
SHA1effa029f17398bee9a9229b4bba7ce42c968f194
SHA25640e56583b337aa5a9cd070d40ac91ed2ec18ef8744a9bdc8cf2eb91d4a62019f
SHA512db199a6a846dacec2cd49eebdc5b6b79e26fc8266f7a7b167968240b23fdac25e678352ca4c1c5cf2c52c3f6feb429504ef23cd967376e044c742ded44b623ee
-
memory/316-13-0x000007FEF5CD0000-0x000007FEF5F4A000-memory.dmpFilesize
2.5MB
-
memory/436-16-0x0000000000000000-mapping.dmp
-
memory/736-7-0x0000000000000000-mapping.dmp
-
memory/736-14-0x0000000005F70000-0x0000000005F71000-memory.dmpFilesize
4KB
-
memory/780-15-0x0000000000000000-mapping.dmp
-
memory/1676-10-0x0000000000000000-mapping.dmp
-
memory/1780-4-0x0000000000000000-mapping.dmp
-
memory/1836-3-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmpFilesize
9.6MB
-
memory/1836-2-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmpFilesize
9.6MB