Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-12-2020 16:26
Static task
static1
Behavioral task
behavioral1
Sample
c39d3e6cc6336562fed7fe6f1d4f05a1.exe
Resource
win7v20201028
General
-
Target
c39d3e6cc6336562fed7fe6f1d4f05a1.exe
-
Size
221KB
-
MD5
c39d3e6cc6336562fed7fe6f1d4f05a1
-
SHA1
bce78fe671213b28f7ef11d992decac9bb8f9037
-
SHA256
ee8671c0d32759c62ef7aa0b4025fcebdf5409619dd280b9e4db59f01d9a4e30
-
SHA512
3cd0be68ec7b699a5addb197e7423e6318f65658aedcd90fefe445fcaa6c8fd4a2b6532c60c81a78d958fd73500d57c1ded1f43795c4d7f0c0077d837a81bf39
Malware Config
Extracted
njrat
0.7d
HackKed
173.225.115.68:5353
f2f557f71c86cd14f7ea630d1c319240
-
reg_key
f2f557f71c86cd14f7ea630d1c319240
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
microsoft.exepid process 3308 microsoft.exe -
Modifies Windows Firewall 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
microsoft.exedescription pid process Token: SeDebugPrivilege 3308 microsoft.exe Token: 33 3308 microsoft.exe Token: SeIncBasePriorityPrivilege 3308 microsoft.exe Token: 33 3308 microsoft.exe Token: SeIncBasePriorityPrivilege 3308 microsoft.exe Token: 33 3308 microsoft.exe Token: SeIncBasePriorityPrivilege 3308 microsoft.exe Token: 33 3308 microsoft.exe Token: SeIncBasePriorityPrivilege 3308 microsoft.exe Token: 33 3308 microsoft.exe Token: SeIncBasePriorityPrivilege 3308 microsoft.exe Token: 33 3308 microsoft.exe Token: SeIncBasePriorityPrivilege 3308 microsoft.exe Token: 33 3308 microsoft.exe Token: SeIncBasePriorityPrivilege 3308 microsoft.exe Token: 33 3308 microsoft.exe Token: SeIncBasePriorityPrivilege 3308 microsoft.exe Token: 33 3308 microsoft.exe Token: SeIncBasePriorityPrivilege 3308 microsoft.exe Token: 33 3308 microsoft.exe Token: SeIncBasePriorityPrivilege 3308 microsoft.exe Token: 33 3308 microsoft.exe Token: SeIncBasePriorityPrivilege 3308 microsoft.exe Token: 33 3308 microsoft.exe Token: SeIncBasePriorityPrivilege 3308 microsoft.exe Token: 33 3308 microsoft.exe Token: SeIncBasePriorityPrivilege 3308 microsoft.exe Token: 33 3308 microsoft.exe Token: SeIncBasePriorityPrivilege 3308 microsoft.exe Token: 33 3308 microsoft.exe Token: SeIncBasePriorityPrivilege 3308 microsoft.exe Token: 33 3308 microsoft.exe Token: SeIncBasePriorityPrivilege 3308 microsoft.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
c39d3e6cc6336562fed7fe6f1d4f05a1.exemicrosoft.exedescription pid process target process PID 508 wrote to memory of 3308 508 c39d3e6cc6336562fed7fe6f1d4f05a1.exe microsoft.exe PID 508 wrote to memory of 3308 508 c39d3e6cc6336562fed7fe6f1d4f05a1.exe microsoft.exe PID 508 wrote to memory of 3308 508 c39d3e6cc6336562fed7fe6f1d4f05a1.exe microsoft.exe PID 3308 wrote to memory of 2896 3308 microsoft.exe netsh.exe PID 3308 wrote to memory of 2896 3308 microsoft.exe netsh.exe PID 3308 wrote to memory of 2896 3308 microsoft.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c39d3e6cc6336562fed7fe6f1d4f05a1.exe"C:\Users\Admin\AppData\Local\Temp\c39d3e6cc6336562fed7fe6f1d4f05a1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\microsoft.exe"C:\Users\Admin\AppData\Local\Temp\microsoft.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\microsoft.exe" "microsoft.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\microsoft.exeMD5
c39d3e6cc6336562fed7fe6f1d4f05a1
SHA1bce78fe671213b28f7ef11d992decac9bb8f9037
SHA256ee8671c0d32759c62ef7aa0b4025fcebdf5409619dd280b9e4db59f01d9a4e30
SHA5123cd0be68ec7b699a5addb197e7423e6318f65658aedcd90fefe445fcaa6c8fd4a2b6532c60c81a78d958fd73500d57c1ded1f43795c4d7f0c0077d837a81bf39
-
C:\Users\Admin\AppData\Local\Temp\microsoft.exeMD5
c39d3e6cc6336562fed7fe6f1d4f05a1
SHA1bce78fe671213b28f7ef11d992decac9bb8f9037
SHA256ee8671c0d32759c62ef7aa0b4025fcebdf5409619dd280b9e4db59f01d9a4e30
SHA5123cd0be68ec7b699a5addb197e7423e6318f65658aedcd90fefe445fcaa6c8fd4a2b6532c60c81a78d958fd73500d57c1ded1f43795c4d7f0c0077d837a81bf39
-
memory/2896-5-0x0000000000000000-mapping.dmp
-
memory/3308-2-0x0000000000000000-mapping.dmp