Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
21-12-2020 01:48
Static task
static1
Behavioral task
behavioral1
Sample
ZAgNhZBG.exe
Resource
win7v20201028
General
-
Target
ZAgNhZBG.exe
-
Size
23KB
-
MD5
5859e656d5735eb9a1eeae9a94a3cc16
-
SHA1
85c1ab9c6fe450a83fb2cc1681b45272020ce5a6
-
SHA256
4c91e5ce3dc54a407d6fce46eede37d2e2343f4db688e158e23abb543ce5a350
-
SHA512
8cce673a45d5aa0fde559311466f318a645a47be5da350e6743cc291b88ad0a90c805d0b0185940f34e192fa7011e731157aca0b82627f17e02e227f498f0c68
Malware Config
Extracted
njrat
0.7d
HacKed
xoruf.ddns.net:5552
d8f3c9bf39e889408d972a936cea46cc
-
reg_key
d8f3c9bf39e889408d972a936cea46cc
-
splitter
@!#&^%$
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Google Chrome.exepid process 1176 Google Chrome.exe -
Modifies Windows Firewall 1 TTPs
-
Processes:
resource yara_rule behavioral2/memory/2940-6-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/2940-8-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/2940-9-0x0000000000400000-0x0000000000472000-memory.dmp upx -
Drops startup file 2 IoCs
Processes:
Google Chrome.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d8f3c9bf39e889408d972a936cea46cc.exe Google Chrome.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d8f3c9bf39e889408d972a936cea46cc.exe Google Chrome.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Google Chrome.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\d8f3c9bf39e889408d972a936cea46cc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Google Chrome.exe\" .." Google Chrome.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\d8f3c9bf39e889408d972a936cea46cc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Google Chrome.exe\" .." Google Chrome.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Google Chrome.exedescription pid process target process PID 1176 set thread context of 2940 1176 Google Chrome.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
Google Chrome.exevbc.exedescription pid process Token: SeDebugPrivilege 1176 Google Chrome.exe Token: 33 1176 Google Chrome.exe Token: SeIncBasePriorityPrivilege 1176 Google Chrome.exe Token: 33 1176 Google Chrome.exe Token: SeIncBasePriorityPrivilege 1176 Google Chrome.exe Token: 33 1176 Google Chrome.exe Token: SeIncBasePriorityPrivilege 1176 Google Chrome.exe Token: 33 1176 Google Chrome.exe Token: SeIncBasePriorityPrivilege 1176 Google Chrome.exe Token: 33 1176 Google Chrome.exe Token: SeIncBasePriorityPrivilege 1176 Google Chrome.exe Token: 33 1176 Google Chrome.exe Token: SeIncBasePriorityPrivilege 1176 Google Chrome.exe Token: 33 1176 Google Chrome.exe Token: SeIncBasePriorityPrivilege 1176 Google Chrome.exe Token: 33 1176 Google Chrome.exe Token: SeIncBasePriorityPrivilege 1176 Google Chrome.exe Token: SeDebugPrivilege 2940 vbc.exe Token: 33 1176 Google Chrome.exe Token: SeIncBasePriorityPrivilege 1176 Google Chrome.exe Token: 33 1176 Google Chrome.exe Token: SeIncBasePriorityPrivilege 1176 Google Chrome.exe Token: 33 1176 Google Chrome.exe Token: SeIncBasePriorityPrivilege 1176 Google Chrome.exe Token: 33 1176 Google Chrome.exe Token: SeIncBasePriorityPrivilege 1176 Google Chrome.exe Token: 33 1176 Google Chrome.exe Token: SeIncBasePriorityPrivilege 1176 Google Chrome.exe Token: 33 1176 Google Chrome.exe Token: SeIncBasePriorityPrivilege 1176 Google Chrome.exe Token: 33 1176 Google Chrome.exe Token: SeIncBasePriorityPrivilege 1176 Google Chrome.exe Token: 33 1176 Google Chrome.exe Token: SeIncBasePriorityPrivilege 1176 Google Chrome.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
ZAgNhZBG.exeGoogle Chrome.exedescription pid process target process PID 1400 wrote to memory of 1176 1400 ZAgNhZBG.exe Google Chrome.exe PID 1400 wrote to memory of 1176 1400 ZAgNhZBG.exe Google Chrome.exe PID 1400 wrote to memory of 1176 1400 ZAgNhZBG.exe Google Chrome.exe PID 1176 wrote to memory of 632 1176 Google Chrome.exe netsh.exe PID 1176 wrote to memory of 632 1176 Google Chrome.exe netsh.exe PID 1176 wrote to memory of 632 1176 Google Chrome.exe netsh.exe PID 1176 wrote to memory of 2940 1176 Google Chrome.exe vbc.exe PID 1176 wrote to memory of 2940 1176 Google Chrome.exe vbc.exe PID 1176 wrote to memory of 2940 1176 Google Chrome.exe vbc.exe PID 1176 wrote to memory of 2940 1176 Google Chrome.exe vbc.exe PID 1176 wrote to memory of 2940 1176 Google Chrome.exe vbc.exe PID 1176 wrote to memory of 2940 1176 Google Chrome.exe vbc.exe PID 1176 wrote to memory of 2940 1176 Google Chrome.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ZAgNhZBG.exe"C:\Users\Admin\AppData\Local\Temp\ZAgNhZBG.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe"C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe" "Google Chrome.exe" ENABLE3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\3686021"3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3686021MD5
6d0e849b0647746facd7c73f03b4d366
SHA13138201a6608428b922bd86168b51cf80615bc91
SHA256c2f229ba47f29fccb6d35a908e887bf97e9e87cdb1110e855d5caa39571e5d72
SHA5123839589f64141ba269f95e2726dd040ee09b6c9c09f5765dcdba847b02f68fa000b588a272f17e73ac42e81b3bb154535dc20da6dce0682b4b3a1ac2daada86a
-
C:\Users\Admin\AppData\Local\Temp\Google Chrome.exeMD5
5859e656d5735eb9a1eeae9a94a3cc16
SHA185c1ab9c6fe450a83fb2cc1681b45272020ce5a6
SHA2564c91e5ce3dc54a407d6fce46eede37d2e2343f4db688e158e23abb543ce5a350
SHA5128cce673a45d5aa0fde559311466f318a645a47be5da350e6743cc291b88ad0a90c805d0b0185940f34e192fa7011e731157aca0b82627f17e02e227f498f0c68
-
C:\Users\Admin\AppData\Local\Temp\Google Chrome.exeMD5
5859e656d5735eb9a1eeae9a94a3cc16
SHA185c1ab9c6fe450a83fb2cc1681b45272020ce5a6
SHA2564c91e5ce3dc54a407d6fce46eede37d2e2343f4db688e158e23abb543ce5a350
SHA5128cce673a45d5aa0fde559311466f318a645a47be5da350e6743cc291b88ad0a90c805d0b0185940f34e192fa7011e731157aca0b82627f17e02e227f498f0c68
-
memory/632-5-0x0000000000000000-mapping.dmp
-
memory/1176-2-0x0000000000000000-mapping.dmp
-
memory/2940-6-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/2940-7-0x00000000004700E0-mapping.dmp
-
memory/2940-8-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/2940-9-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB