Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
23-12-2020 19:03
Static task
static1
Behavioral task
behavioral1
Sample
Vrz7skDd.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Vrz7skDd.exe
Resource
win10v20201028
General
-
Target
Vrz7skDd.exe
-
Size
23KB
-
MD5
d53632afb8714caff16ff790a2799cd4
-
SHA1
2b156be1603ee3f615d3727c6d28d30b44821869
-
SHA256
0cf5a7646bb4033425811d5d0a1432d229c87e4850228be4ca5493fcaf2c0c3a
-
SHA512
97f2dbb993100d414de977f1bbed851acec1d766f2593038f926f11d3d1d75d82ef6fda136feb12392023defe5c5abc991037900d8101a29f68c11db9a074012
Malware Config
Extracted
njrat
0.7d
ابن سوريا A_B_N_SYRIA
xoruf.ddns.net:5552
5e3a65ea61324e81c313ed04d0316f69
-
reg_key
5e3a65ea61324e81c313ed04d0316f69
-
splitter
@!#&^%$
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Google Chrome.exepid process 1504 Google Chrome.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
Google Chrome.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5e3a65ea61324e81c313ed04d0316f69.exe Google Chrome.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5e3a65ea61324e81c313ed04d0316f69.exe Google Chrome.exe -
Loads dropped DLL 1 IoCs
Processes:
Vrz7skDd.exepid process 1084 Vrz7skDd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Google Chrome.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\5e3a65ea61324e81c313ed04d0316f69 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome.exe\" .." Google Chrome.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5e3a65ea61324e81c313ed04d0316f69 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome.exe\" .." Google Chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
Google Chrome.exedescription pid process Token: SeDebugPrivilege 1504 Google Chrome.exe Token: 33 1504 Google Chrome.exe Token: SeIncBasePriorityPrivilege 1504 Google Chrome.exe Token: 33 1504 Google Chrome.exe Token: SeIncBasePriorityPrivilege 1504 Google Chrome.exe Token: 33 1504 Google Chrome.exe Token: SeIncBasePriorityPrivilege 1504 Google Chrome.exe Token: 33 1504 Google Chrome.exe Token: SeIncBasePriorityPrivilege 1504 Google Chrome.exe Token: 33 1504 Google Chrome.exe Token: SeIncBasePriorityPrivilege 1504 Google Chrome.exe Token: 33 1504 Google Chrome.exe Token: SeIncBasePriorityPrivilege 1504 Google Chrome.exe Token: 33 1504 Google Chrome.exe Token: SeIncBasePriorityPrivilege 1504 Google Chrome.exe Token: 33 1504 Google Chrome.exe Token: SeIncBasePriorityPrivilege 1504 Google Chrome.exe Token: 33 1504 Google Chrome.exe Token: SeIncBasePriorityPrivilege 1504 Google Chrome.exe Token: 33 1504 Google Chrome.exe Token: SeIncBasePriorityPrivilege 1504 Google Chrome.exe Token: 33 1504 Google Chrome.exe Token: SeIncBasePriorityPrivilege 1504 Google Chrome.exe Token: 33 1504 Google Chrome.exe Token: SeIncBasePriorityPrivilege 1504 Google Chrome.exe Token: 33 1504 Google Chrome.exe Token: SeIncBasePriorityPrivilege 1504 Google Chrome.exe Token: 33 1504 Google Chrome.exe Token: SeIncBasePriorityPrivilege 1504 Google Chrome.exe Token: 33 1504 Google Chrome.exe Token: SeIncBasePriorityPrivilege 1504 Google Chrome.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Vrz7skDd.exeGoogle Chrome.exedescription pid process target process PID 1084 wrote to memory of 1504 1084 Vrz7skDd.exe Google Chrome.exe PID 1084 wrote to memory of 1504 1084 Vrz7skDd.exe Google Chrome.exe PID 1084 wrote to memory of 1504 1084 Vrz7skDd.exe Google Chrome.exe PID 1084 wrote to memory of 1504 1084 Vrz7skDd.exe Google Chrome.exe PID 1504 wrote to memory of 1612 1504 Google Chrome.exe netsh.exe PID 1504 wrote to memory of 1612 1504 Google Chrome.exe netsh.exe PID 1504 wrote to memory of 1612 1504 Google Chrome.exe netsh.exe PID 1504 wrote to memory of 1612 1504 Google Chrome.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Vrz7skDd.exe"C:\Users\Admin\AppData\Local\Temp\Vrz7skDd.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Google Chrome.exe"C:\Users\Admin\AppData\Roaming\Google Chrome.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Google Chrome.exe" "Google Chrome.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Google Chrome.exeMD5
d53632afb8714caff16ff790a2799cd4
SHA12b156be1603ee3f615d3727c6d28d30b44821869
SHA2560cf5a7646bb4033425811d5d0a1432d229c87e4850228be4ca5493fcaf2c0c3a
SHA51297f2dbb993100d414de977f1bbed851acec1d766f2593038f926f11d3d1d75d82ef6fda136feb12392023defe5c5abc991037900d8101a29f68c11db9a074012
-
C:\Users\Admin\AppData\Roaming\Google Chrome.exeMD5
d53632afb8714caff16ff790a2799cd4
SHA12b156be1603ee3f615d3727c6d28d30b44821869
SHA2560cf5a7646bb4033425811d5d0a1432d229c87e4850228be4ca5493fcaf2c0c3a
SHA51297f2dbb993100d414de977f1bbed851acec1d766f2593038f926f11d3d1d75d82ef6fda136feb12392023defe5c5abc991037900d8101a29f68c11db9a074012
-
\Users\Admin\AppData\Roaming\Google Chrome.exeMD5
d53632afb8714caff16ff790a2799cd4
SHA12b156be1603ee3f615d3727c6d28d30b44821869
SHA2560cf5a7646bb4033425811d5d0a1432d229c87e4850228be4ca5493fcaf2c0c3a
SHA51297f2dbb993100d414de977f1bbed851acec1d766f2593038f926f11d3d1d75d82ef6fda136feb12392023defe5c5abc991037900d8101a29f68c11db9a074012
-
memory/1504-3-0x0000000000000000-mapping.dmp
-
memory/1612-6-0x0000000000000000-mapping.dmp