Analysis
-
max time kernel
149s -
max time network
139s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
21-12-2020 01:48
Static task
static1
Behavioral task
behavioral1
Sample
ZAgNhZBG.exe
Resource
win7v20201028
General
-
Target
ZAgNhZBG.exe
-
Size
23KB
-
MD5
5859e656d5735eb9a1eeae9a94a3cc16
-
SHA1
85c1ab9c6fe450a83fb2cc1681b45272020ce5a6
-
SHA256
4c91e5ce3dc54a407d6fce46eede37d2e2343f4db688e158e23abb543ce5a350
-
SHA512
8cce673a45d5aa0fde559311466f318a645a47be5da350e6743cc291b88ad0a90c805d0b0185940f34e192fa7011e731157aca0b82627f17e02e227f498f0c68
Malware Config
Extracted
njrat
0.7d
HacKed
xoruf.ddns.net:5552
d8f3c9bf39e889408d972a936cea46cc
-
reg_key
d8f3c9bf39e889408d972a936cea46cc
-
splitter
@!#&^%$
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Google Chrome.exepid process 604 Google Chrome.exe -
Modifies Windows Firewall 1 TTPs
-
Processes:
resource yara_rule behavioral1/memory/436-7-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral1/memory/436-9-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral1/memory/436-10-0x0000000000400000-0x0000000000472000-memory.dmp upx -
Drops startup file 2 IoCs
Processes:
Google Chrome.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d8f3c9bf39e889408d972a936cea46cc.exe Google Chrome.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d8f3c9bf39e889408d972a936cea46cc.exe Google Chrome.exe -
Loads dropped DLL 1 IoCs
Processes:
ZAgNhZBG.exepid process 1852 ZAgNhZBG.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Google Chrome.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\d8f3c9bf39e889408d972a936cea46cc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Google Chrome.exe\" .." Google Chrome.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\d8f3c9bf39e889408d972a936cea46cc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Google Chrome.exe\" .." Google Chrome.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Google Chrome.exedescription pid process target process PID 604 set thread context of 436 604 Google Chrome.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
Google Chrome.exevbc.exedescription pid process Token: SeDebugPrivilege 604 Google Chrome.exe Token: 33 604 Google Chrome.exe Token: SeIncBasePriorityPrivilege 604 Google Chrome.exe Token: 33 604 Google Chrome.exe Token: SeIncBasePriorityPrivilege 604 Google Chrome.exe Token: 33 604 Google Chrome.exe Token: SeIncBasePriorityPrivilege 604 Google Chrome.exe Token: 33 604 Google Chrome.exe Token: SeIncBasePriorityPrivilege 604 Google Chrome.exe Token: 33 604 Google Chrome.exe Token: SeIncBasePriorityPrivilege 604 Google Chrome.exe Token: 33 604 Google Chrome.exe Token: SeIncBasePriorityPrivilege 604 Google Chrome.exe Token: 33 604 Google Chrome.exe Token: SeIncBasePriorityPrivilege 604 Google Chrome.exe Token: 33 604 Google Chrome.exe Token: SeIncBasePriorityPrivilege 604 Google Chrome.exe Token: SeDebugPrivilege 436 vbc.exe Token: 33 604 Google Chrome.exe Token: SeIncBasePriorityPrivilege 604 Google Chrome.exe Token: 33 604 Google Chrome.exe Token: SeIncBasePriorityPrivilege 604 Google Chrome.exe Token: 33 604 Google Chrome.exe Token: SeIncBasePriorityPrivilege 604 Google Chrome.exe Token: 33 604 Google Chrome.exe Token: SeIncBasePriorityPrivilege 604 Google Chrome.exe Token: 33 604 Google Chrome.exe Token: SeIncBasePriorityPrivilege 604 Google Chrome.exe Token: 33 604 Google Chrome.exe Token: SeIncBasePriorityPrivilege 604 Google Chrome.exe Token: 33 604 Google Chrome.exe Token: SeIncBasePriorityPrivilege 604 Google Chrome.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
ZAgNhZBG.exeGoogle Chrome.exedescription pid process target process PID 1852 wrote to memory of 604 1852 ZAgNhZBG.exe Google Chrome.exe PID 1852 wrote to memory of 604 1852 ZAgNhZBG.exe Google Chrome.exe PID 1852 wrote to memory of 604 1852 ZAgNhZBG.exe Google Chrome.exe PID 1852 wrote to memory of 604 1852 ZAgNhZBG.exe Google Chrome.exe PID 604 wrote to memory of 1620 604 Google Chrome.exe netsh.exe PID 604 wrote to memory of 1620 604 Google Chrome.exe netsh.exe PID 604 wrote to memory of 1620 604 Google Chrome.exe netsh.exe PID 604 wrote to memory of 1620 604 Google Chrome.exe netsh.exe PID 604 wrote to memory of 436 604 Google Chrome.exe vbc.exe PID 604 wrote to memory of 436 604 Google Chrome.exe vbc.exe PID 604 wrote to memory of 436 604 Google Chrome.exe vbc.exe PID 604 wrote to memory of 436 604 Google Chrome.exe vbc.exe PID 604 wrote to memory of 436 604 Google Chrome.exe vbc.exe PID 604 wrote to memory of 436 604 Google Chrome.exe vbc.exe PID 604 wrote to memory of 436 604 Google Chrome.exe vbc.exe PID 604 wrote to memory of 436 604 Google Chrome.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ZAgNhZBG.exe"C:\Users\Admin\AppData\Local\Temp\ZAgNhZBG.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe"C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe" "Google Chrome.exe" ENABLE3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\1809397"3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1809397MD5
e4bf4f7accc657622fe419c0d62419ab
SHA1c2856936dd3de05bad0da5ca94d6b521e40ab5a2
SHA256b32fa68b79c5a7ceaa89e8e537efe33a963c499666202611329944bd2c09318e
SHA51285dc223e39a16ddeba53a4b3d6c9eff14d30ec67dfda1e650da2c9057f640edd033a31868915a31caac0d325d240a7f634f62cd52fbd2adc68bd1d9cb6281431
-
C:\Users\Admin\AppData\Local\Temp\Google Chrome.exeMD5
5859e656d5735eb9a1eeae9a94a3cc16
SHA185c1ab9c6fe450a83fb2cc1681b45272020ce5a6
SHA2564c91e5ce3dc54a407d6fce46eede37d2e2343f4db688e158e23abb543ce5a350
SHA5128cce673a45d5aa0fde559311466f318a645a47be5da350e6743cc291b88ad0a90c805d0b0185940f34e192fa7011e731157aca0b82627f17e02e227f498f0c68
-
C:\Users\Admin\AppData\Local\Temp\Google Chrome.exeMD5
5859e656d5735eb9a1eeae9a94a3cc16
SHA185c1ab9c6fe450a83fb2cc1681b45272020ce5a6
SHA2564c91e5ce3dc54a407d6fce46eede37d2e2343f4db688e158e23abb543ce5a350
SHA5128cce673a45d5aa0fde559311466f318a645a47be5da350e6743cc291b88ad0a90c805d0b0185940f34e192fa7011e731157aca0b82627f17e02e227f498f0c68
-
\Users\Admin\AppData\Local\Temp\Google Chrome.exeMD5
5859e656d5735eb9a1eeae9a94a3cc16
SHA185c1ab9c6fe450a83fb2cc1681b45272020ce5a6
SHA2564c91e5ce3dc54a407d6fce46eede37d2e2343f4db688e158e23abb543ce5a350
SHA5128cce673a45d5aa0fde559311466f318a645a47be5da350e6743cc291b88ad0a90c805d0b0185940f34e192fa7011e731157aca0b82627f17e02e227f498f0c68
-
memory/436-7-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/436-8-0x00000000004700E0-mapping.dmp
-
memory/436-9-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/436-10-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/604-3-0x0000000000000000-mapping.dmp
-
memory/1604-11-0x000007FEF77D0000-0x000007FEF7A4A000-memory.dmpFilesize
2.5MB
-
memory/1620-6-0x0000000000000000-mapping.dmp