Analysis
-
max time kernel
147s -
max time network
146s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-12-2020 16:26
Static task
static1
Behavioral task
behavioral1
Sample
c39d3e6cc6336562fed7fe6f1d4f05a1.exe
Resource
win7v20201028
General
-
Target
c39d3e6cc6336562fed7fe6f1d4f05a1.exe
-
Size
221KB
-
MD5
c39d3e6cc6336562fed7fe6f1d4f05a1
-
SHA1
bce78fe671213b28f7ef11d992decac9bb8f9037
-
SHA256
ee8671c0d32759c62ef7aa0b4025fcebdf5409619dd280b9e4db59f01d9a4e30
-
SHA512
3cd0be68ec7b699a5addb197e7423e6318f65658aedcd90fefe445fcaa6c8fd4a2b6532c60c81a78d958fd73500d57c1ded1f43795c4d7f0c0077d837a81bf39
Malware Config
Extracted
njrat
0.7d
HackKed
173.225.115.68:5353
f2f557f71c86cd14f7ea630d1c319240
-
reg_key
f2f557f71c86cd14f7ea630d1c319240
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
microsoft.exepid process 820 microsoft.exe -
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 1 IoCs
Processes:
c39d3e6cc6336562fed7fe6f1d4f05a1.exepid process 736 c39d3e6cc6336562fed7fe6f1d4f05a1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
microsoft.exedescription pid process Token: SeDebugPrivilege 820 microsoft.exe Token: 33 820 microsoft.exe Token: SeIncBasePriorityPrivilege 820 microsoft.exe Token: 33 820 microsoft.exe Token: SeIncBasePriorityPrivilege 820 microsoft.exe Token: 33 820 microsoft.exe Token: SeIncBasePriorityPrivilege 820 microsoft.exe Token: 33 820 microsoft.exe Token: SeIncBasePriorityPrivilege 820 microsoft.exe Token: 33 820 microsoft.exe Token: SeIncBasePriorityPrivilege 820 microsoft.exe Token: 33 820 microsoft.exe Token: SeIncBasePriorityPrivilege 820 microsoft.exe Token: 33 820 microsoft.exe Token: SeIncBasePriorityPrivilege 820 microsoft.exe Token: 33 820 microsoft.exe Token: SeIncBasePriorityPrivilege 820 microsoft.exe Token: 33 820 microsoft.exe Token: SeIncBasePriorityPrivilege 820 microsoft.exe Token: 33 820 microsoft.exe Token: SeIncBasePriorityPrivilege 820 microsoft.exe Token: 33 820 microsoft.exe Token: SeIncBasePriorityPrivilege 820 microsoft.exe Token: 33 820 microsoft.exe Token: SeIncBasePriorityPrivilege 820 microsoft.exe Token: 33 820 microsoft.exe Token: SeIncBasePriorityPrivilege 820 microsoft.exe Token: 33 820 microsoft.exe Token: SeIncBasePriorityPrivilege 820 microsoft.exe Token: 33 820 microsoft.exe Token: SeIncBasePriorityPrivilege 820 microsoft.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
c39d3e6cc6336562fed7fe6f1d4f05a1.exemicrosoft.exedescription pid process target process PID 736 wrote to memory of 820 736 c39d3e6cc6336562fed7fe6f1d4f05a1.exe microsoft.exe PID 736 wrote to memory of 820 736 c39d3e6cc6336562fed7fe6f1d4f05a1.exe microsoft.exe PID 736 wrote to memory of 820 736 c39d3e6cc6336562fed7fe6f1d4f05a1.exe microsoft.exe PID 736 wrote to memory of 820 736 c39d3e6cc6336562fed7fe6f1d4f05a1.exe microsoft.exe PID 820 wrote to memory of 1196 820 microsoft.exe netsh.exe PID 820 wrote to memory of 1196 820 microsoft.exe netsh.exe PID 820 wrote to memory of 1196 820 microsoft.exe netsh.exe PID 820 wrote to memory of 1196 820 microsoft.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c39d3e6cc6336562fed7fe6f1d4f05a1.exe"C:\Users\Admin\AppData\Local\Temp\c39d3e6cc6336562fed7fe6f1d4f05a1.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\microsoft.exe"C:\Users\Admin\AppData\Local\Temp\microsoft.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\microsoft.exe" "microsoft.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\microsoft.exeMD5
c39d3e6cc6336562fed7fe6f1d4f05a1
SHA1bce78fe671213b28f7ef11d992decac9bb8f9037
SHA256ee8671c0d32759c62ef7aa0b4025fcebdf5409619dd280b9e4db59f01d9a4e30
SHA5123cd0be68ec7b699a5addb197e7423e6318f65658aedcd90fefe445fcaa6c8fd4a2b6532c60c81a78d958fd73500d57c1ded1f43795c4d7f0c0077d837a81bf39
-
C:\Users\Admin\AppData\Local\Temp\microsoft.exeMD5
c39d3e6cc6336562fed7fe6f1d4f05a1
SHA1bce78fe671213b28f7ef11d992decac9bb8f9037
SHA256ee8671c0d32759c62ef7aa0b4025fcebdf5409619dd280b9e4db59f01d9a4e30
SHA5123cd0be68ec7b699a5addb197e7423e6318f65658aedcd90fefe445fcaa6c8fd4a2b6532c60c81a78d958fd73500d57c1ded1f43795c4d7f0c0077d837a81bf39
-
\Users\Admin\AppData\Local\Temp\microsoft.exeMD5
c39d3e6cc6336562fed7fe6f1d4f05a1
SHA1bce78fe671213b28f7ef11d992decac9bb8f9037
SHA256ee8671c0d32759c62ef7aa0b4025fcebdf5409619dd280b9e4db59f01d9a4e30
SHA5123cd0be68ec7b699a5addb197e7423e6318f65658aedcd90fefe445fcaa6c8fd4a2b6532c60c81a78d958fd73500d57c1ded1f43795c4d7f0c0077d837a81bf39
-
memory/820-3-0x0000000000000000-mapping.dmp
-
memory/1196-6-0x0000000000000000-mapping.dmp