Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-12-2020 16:28
Static task
static1
Behavioral task
behavioral1
Sample
c5e2d8b234f4c2b2db29eba11e18a75c.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
c5e2d8b234f4c2b2db29eba11e18a75c.exe
Resource
win10v20201028
General
-
Target
c5e2d8b234f4c2b2db29eba11e18a75c.exe
-
Size
388KB
-
MD5
c5e2d8b234f4c2b2db29eba11e18a75c
-
SHA1
6c88462bf8c577b1a6fc304f2724491736b56be5
-
SHA256
9f85eb5b1e7b261c9a7a1cd793badff334e84942ed652f09a0fc7d83008fe621
-
SHA512
dab93f487e09c14aaed8f32814d94dfbac9fa9e1d076d730337ab3379058b0bdd012a86219146010e6060eab77b654a8815208a0d027e1cbb3b25b62876f5fa7
Malware Config
Extracted
njrat
0.7d
HacKed
karamnaser321.ddns.net:1177
0518517d1f621a093c3997945c521862
-
reg_key
0518517d1f621a093c3997945c521862
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
LocalHqxEsTdCwp.exeserver.exepid process 3224 LocalHqxEsTdCwp.exe 2956 server.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0518517d1f621a093c3997945c521862.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0518517d1f621a093c3997945c521862.exe server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\0518517d1f621a093c3997945c521862 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0518517d1f621a093c3997945c521862 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
c5e2d8b234f4c2b2db29eba11e18a75c.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings c5e2d8b234f4c2b2db29eba11e18a75c.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3456 WINWORD.EXE 3456 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 2956 server.exe Token: 33 2956 server.exe Token: SeIncBasePriorityPrivilege 2956 server.exe Token: 33 2956 server.exe Token: SeIncBasePriorityPrivilege 2956 server.exe Token: 33 2956 server.exe Token: SeIncBasePriorityPrivilege 2956 server.exe Token: 33 2956 server.exe Token: SeIncBasePriorityPrivilege 2956 server.exe Token: 33 2956 server.exe Token: SeIncBasePriorityPrivilege 2956 server.exe Token: 33 2956 server.exe Token: SeIncBasePriorityPrivilege 2956 server.exe Token: 33 2956 server.exe Token: SeIncBasePriorityPrivilege 2956 server.exe Token: 33 2956 server.exe Token: SeIncBasePriorityPrivilege 2956 server.exe Token: 33 2956 server.exe Token: SeIncBasePriorityPrivilege 2956 server.exe Token: 33 2956 server.exe Token: SeIncBasePriorityPrivilege 2956 server.exe Token: 33 2956 server.exe Token: SeIncBasePriorityPrivilege 2956 server.exe Token: 33 2956 server.exe Token: SeIncBasePriorityPrivilege 2956 server.exe Token: 33 2956 server.exe Token: SeIncBasePriorityPrivilege 2956 server.exe Token: 33 2956 server.exe Token: SeIncBasePriorityPrivilege 2956 server.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 3456 WINWORD.EXE 3456 WINWORD.EXE 3456 WINWORD.EXE 3456 WINWORD.EXE 3456 WINWORD.EXE 3456 WINWORD.EXE 3456 WINWORD.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
c5e2d8b234f4c2b2db29eba11e18a75c.exeLocalHqxEsTdCwp.exeserver.exedescription pid process target process PID 648 wrote to memory of 3224 648 c5e2d8b234f4c2b2db29eba11e18a75c.exe LocalHqxEsTdCwp.exe PID 648 wrote to memory of 3224 648 c5e2d8b234f4c2b2db29eba11e18a75c.exe LocalHqxEsTdCwp.exe PID 648 wrote to memory of 3224 648 c5e2d8b234f4c2b2db29eba11e18a75c.exe LocalHqxEsTdCwp.exe PID 648 wrote to memory of 3456 648 c5e2d8b234f4c2b2db29eba11e18a75c.exe WINWORD.EXE PID 648 wrote to memory of 3456 648 c5e2d8b234f4c2b2db29eba11e18a75c.exe WINWORD.EXE PID 3224 wrote to memory of 2956 3224 LocalHqxEsTdCwp.exe server.exe PID 3224 wrote to memory of 2956 3224 LocalHqxEsTdCwp.exe server.exe PID 3224 wrote to memory of 2956 3224 LocalHqxEsTdCwp.exe server.exe PID 2956 wrote to memory of 2820 2956 server.exe netsh.exe PID 2956 wrote to memory of 2820 2956 server.exe netsh.exe PID 2956 wrote to memory of 2820 2956 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5e2d8b234f4c2b2db29eba11e18a75c.exe"C:\Users\Admin\AppData\Local\Temp\c5e2d8b234f4c2b2db29eba11e18a75c.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\LocalHqxEsTdCwp.exe"C:\Users\Admin\AppData\LocalHqxEsTdCwp.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE4⤵
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\LocalVhJPsrdoQS.docx" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalHqxEsTdCwp.exeMD5
3c5d8b82a26ebfa52a7635f815315a71
SHA1effa029f17398bee9a9229b4bba7ce42c968f194
SHA25640e56583b337aa5a9cd070d40ac91ed2ec18ef8744a9bdc8cf2eb91d4a62019f
SHA512db199a6a846dacec2cd49eebdc5b6b79e26fc8266f7a7b167968240b23fdac25e678352ca4c1c5cf2c52c3f6feb429504ef23cd967376e044c742ded44b623ee
-
C:\Users\Admin\AppData\LocalHqxEsTdCwp.exeMD5
3c5d8b82a26ebfa52a7635f815315a71
SHA1effa029f17398bee9a9229b4bba7ce42c968f194
SHA25640e56583b337aa5a9cd070d40ac91ed2ec18ef8744a9bdc8cf2eb91d4a62019f
SHA512db199a6a846dacec2cd49eebdc5b6b79e26fc8266f7a7b167968240b23fdac25e678352ca4c1c5cf2c52c3f6feb429504ef23cd967376e044c742ded44b623ee
-
C:\Users\Admin\AppData\LocalVhJPsrdoQS.docxMD5
63c814344bb5edcac76c4f829c7f1dad
SHA177c3bd09de67bf2e0971a34a46a37cfc592ca5df
SHA256ddfc3ed056efa3d87bd76e49647815c92d22af8a18d41161af7577b6e3681869
SHA51258c4c6a616f1af40c52e131c5800adf58832eb975f17c291ae3d3c8826a02fe8e41492f5f0b91bdf0127994aa993d68eb766e0c486d8971b21c7b4ab8fa41de5
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
3c5d8b82a26ebfa52a7635f815315a71
SHA1effa029f17398bee9a9229b4bba7ce42c968f194
SHA25640e56583b337aa5a9cd070d40ac91ed2ec18ef8744a9bdc8cf2eb91d4a62019f
SHA512db199a6a846dacec2cd49eebdc5b6b79e26fc8266f7a7b167968240b23fdac25e678352ca4c1c5cf2c52c3f6feb429504ef23cd967376e044c742ded44b623ee
-
C:\Users\Admin\AppData\Local\Temp\server.exeMD5
3c5d8b82a26ebfa52a7635f815315a71
SHA1effa029f17398bee9a9229b4bba7ce42c968f194
SHA25640e56583b337aa5a9cd070d40ac91ed2ec18ef8744a9bdc8cf2eb91d4a62019f
SHA512db199a6a846dacec2cd49eebdc5b6b79e26fc8266f7a7b167968240b23fdac25e678352ca4c1c5cf2c52c3f6feb429504ef23cd967376e044c742ded44b623ee
-
memory/648-2-0x00007FF91F570000-0x00007FF91FF10000-memory.dmpFilesize
9.6MB
-
memory/2820-14-0x0000000000000000-mapping.dmp
-
memory/2956-10-0x0000000000000000-mapping.dmp
-
memory/3224-3-0x0000000000000000-mapping.dmp
-
memory/3456-6-0x0000000000000000-mapping.dmp
-
memory/3456-9-0x00007FF91E780000-0x00007FF91EDB7000-memory.dmpFilesize
6.2MB