Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
02-01-2021 03:03
Static task
static1
Behavioral task
behavioral1
Sample
0deYeauE.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
0deYeauE.exe
Resource
win10v20201028
General
-
Target
0deYeauE.exe
-
Size
23KB
-
MD5
88976018f61870784cc2fb1483302786
-
SHA1
feeb5746d9ce5220c33554481f037be68189a504
-
SHA256
3a6cd04a3598e161e9b0c5cc80df7902e6e4d5cb1f47247682cd4b785a2f7b8a
-
SHA512
a1a88d2f28aca6315cbd70e5469c921cbd8e0407fa875b8ee8945a9c076caa4043fe8f7bdfeec43d9cadde8bc030cf95d27fc3bf9b5b138a403a171c68979ce2
Malware Config
Extracted
njrat
0.7d
holla
jadory11.ddns.net:1177
df7d92fe2d31c000f0a9d24717414079
-
reg_key
df7d92fe2d31c000f0a9d24717414079
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
dns.exepid process 1668 dns.exe -
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 1 IoCs
Processes:
0deYeauE.exepid process 1472 0deYeauE.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
dns.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\df7d92fe2d31c000f0a9d24717414079 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dns.exe\" .." dns.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\df7d92fe2d31c000f0a9d24717414079 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dns.exe\" .." dns.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
dns.exedescription pid process Token: SeDebugPrivilege 1668 dns.exe Token: 33 1668 dns.exe Token: SeIncBasePriorityPrivilege 1668 dns.exe Token: 33 1668 dns.exe Token: SeIncBasePriorityPrivilege 1668 dns.exe Token: 33 1668 dns.exe Token: SeIncBasePriorityPrivilege 1668 dns.exe Token: 33 1668 dns.exe Token: SeIncBasePriorityPrivilege 1668 dns.exe Token: 33 1668 dns.exe Token: SeIncBasePriorityPrivilege 1668 dns.exe Token: 33 1668 dns.exe Token: SeIncBasePriorityPrivilege 1668 dns.exe Token: 33 1668 dns.exe Token: SeIncBasePriorityPrivilege 1668 dns.exe Token: 33 1668 dns.exe Token: SeIncBasePriorityPrivilege 1668 dns.exe Token: 33 1668 dns.exe Token: SeIncBasePriorityPrivilege 1668 dns.exe Token: 33 1668 dns.exe Token: SeIncBasePriorityPrivilege 1668 dns.exe Token: 33 1668 dns.exe Token: SeIncBasePriorityPrivilege 1668 dns.exe Token: 33 1668 dns.exe Token: SeIncBasePriorityPrivilege 1668 dns.exe Token: 33 1668 dns.exe Token: SeIncBasePriorityPrivilege 1668 dns.exe Token: 33 1668 dns.exe Token: SeIncBasePriorityPrivilege 1668 dns.exe Token: 33 1668 dns.exe Token: SeIncBasePriorityPrivilege 1668 dns.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
0deYeauE.exedns.exedescription pid process target process PID 1472 wrote to memory of 1668 1472 0deYeauE.exe dns.exe PID 1472 wrote to memory of 1668 1472 0deYeauE.exe dns.exe PID 1472 wrote to memory of 1668 1472 0deYeauE.exe dns.exe PID 1472 wrote to memory of 1668 1472 0deYeauE.exe dns.exe PID 1668 wrote to memory of 1704 1668 dns.exe netsh.exe PID 1668 wrote to memory of 1704 1668 dns.exe netsh.exe PID 1668 wrote to memory of 1704 1668 dns.exe netsh.exe PID 1668 wrote to memory of 1704 1668 dns.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0deYeauE.exe"C:\Users\Admin\AppData\Local\Temp\0deYeauE.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dns.exe"C:\Users\Admin\AppData\Local\Temp\dns.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\dns.exe" "dns.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\dns.exeMD5
88976018f61870784cc2fb1483302786
SHA1feeb5746d9ce5220c33554481f037be68189a504
SHA2563a6cd04a3598e161e9b0c5cc80df7902e6e4d5cb1f47247682cd4b785a2f7b8a
SHA512a1a88d2f28aca6315cbd70e5469c921cbd8e0407fa875b8ee8945a9c076caa4043fe8f7bdfeec43d9cadde8bc030cf95d27fc3bf9b5b138a403a171c68979ce2
-
C:\Users\Admin\AppData\Local\Temp\dns.exeMD5
88976018f61870784cc2fb1483302786
SHA1feeb5746d9ce5220c33554481f037be68189a504
SHA2563a6cd04a3598e161e9b0c5cc80df7902e6e4d5cb1f47247682cd4b785a2f7b8a
SHA512a1a88d2f28aca6315cbd70e5469c921cbd8e0407fa875b8ee8945a9c076caa4043fe8f7bdfeec43d9cadde8bc030cf95d27fc3bf9b5b138a403a171c68979ce2
-
\Users\Admin\AppData\Local\Temp\dns.exeMD5
88976018f61870784cc2fb1483302786
SHA1feeb5746d9ce5220c33554481f037be68189a504
SHA2563a6cd04a3598e161e9b0c5cc80df7902e6e4d5cb1f47247682cd4b785a2f7b8a
SHA512a1a88d2f28aca6315cbd70e5469c921cbd8e0407fa875b8ee8945a9c076caa4043fe8f7bdfeec43d9cadde8bc030cf95d27fc3bf9b5b138a403a171c68979ce2
-
memory/1668-3-0x0000000000000000-mapping.dmp
-
memory/1704-6-0x0000000000000000-mapping.dmp