Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
04-01-2021 11:03
Static task
static1
Behavioral task
behavioral1
Sample
8Xq2HpfN.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
8Xq2HpfN.exe
Resource
win10v20201028
General
-
Target
8Xq2HpfN.exe
-
Size
23KB
-
MD5
b3dcf29a3d7752f8013911af1fbebbd1
-
SHA1
f430b6aeeef4e4c661f135e7a1c2dfacec22022f
-
SHA256
5d500eea014b83738a491106e3dc889f15f5513f131099169d73416d3b2b6b59
-
SHA512
e63494361961e1244c3584ad52c1af239f038c582c858f0f0746b1507e2e71e0915e6297296dc1c0e739097ed46058e3faa4ae437566c042d45e63a8c9a65adc
Malware Config
Extracted
njrat
0.7d
HacKed
ilyes99.hopto.org:5552
0c46498110c6b3365e928bd673d308ed
-
reg_key
0c46498110c6b3365e928bd673d308ed
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Windows.exepid process 1652 Windows.exe -
Modifies Windows Firewall 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Windows.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\0c46498110c6b3365e928bd673d308ed = "\"C:\\Windows\\Windows.exe\" .." Windows.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\0c46498110c6b3365e928bd673d308ed = "\"C:\\Windows\\Windows.exe\" .." Windows.exe -
Drops file in Windows directory 1 IoCs
Processes:
8Xq2HpfN.exedescription ioc process File created C:\Windows\Windows.exe 8Xq2HpfN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
Windows.exedescription pid process Token: SeDebugPrivilege 1652 Windows.exe Token: 33 1652 Windows.exe Token: SeIncBasePriorityPrivilege 1652 Windows.exe Token: 33 1652 Windows.exe Token: SeIncBasePriorityPrivilege 1652 Windows.exe Token: 33 1652 Windows.exe Token: SeIncBasePriorityPrivilege 1652 Windows.exe Token: 33 1652 Windows.exe Token: SeIncBasePriorityPrivilege 1652 Windows.exe Token: 33 1652 Windows.exe Token: SeIncBasePriorityPrivilege 1652 Windows.exe Token: 33 1652 Windows.exe Token: SeIncBasePriorityPrivilege 1652 Windows.exe Token: 33 1652 Windows.exe Token: SeIncBasePriorityPrivilege 1652 Windows.exe Token: 33 1652 Windows.exe Token: SeIncBasePriorityPrivilege 1652 Windows.exe Token: 33 1652 Windows.exe Token: SeIncBasePriorityPrivilege 1652 Windows.exe Token: 33 1652 Windows.exe Token: SeIncBasePriorityPrivilege 1652 Windows.exe Token: 33 1652 Windows.exe Token: SeIncBasePriorityPrivilege 1652 Windows.exe Token: 33 1652 Windows.exe Token: SeIncBasePriorityPrivilege 1652 Windows.exe Token: 33 1652 Windows.exe Token: SeIncBasePriorityPrivilege 1652 Windows.exe Token: 33 1652 Windows.exe Token: SeIncBasePriorityPrivilege 1652 Windows.exe Token: 33 1652 Windows.exe Token: SeIncBasePriorityPrivilege 1652 Windows.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
8Xq2HpfN.exeWindows.exedescription pid process target process PID 1432 wrote to memory of 1652 1432 8Xq2HpfN.exe Windows.exe PID 1432 wrote to memory of 1652 1432 8Xq2HpfN.exe Windows.exe PID 1432 wrote to memory of 1652 1432 8Xq2HpfN.exe Windows.exe PID 1432 wrote to memory of 1652 1432 8Xq2HpfN.exe Windows.exe PID 1652 wrote to memory of 1932 1652 Windows.exe netsh.exe PID 1652 wrote to memory of 1932 1652 Windows.exe netsh.exe PID 1652 wrote to memory of 1932 1652 Windows.exe netsh.exe PID 1652 wrote to memory of 1932 1652 Windows.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8Xq2HpfN.exe"C:\Users\Admin\AppData\Local\Temp\8Xq2HpfN.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Windows.exe"C:\Windows\Windows.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Windows.exe" "Windows.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Windows.exeMD5
b3dcf29a3d7752f8013911af1fbebbd1
SHA1f430b6aeeef4e4c661f135e7a1c2dfacec22022f
SHA2565d500eea014b83738a491106e3dc889f15f5513f131099169d73416d3b2b6b59
SHA512e63494361961e1244c3584ad52c1af239f038c582c858f0f0746b1507e2e71e0915e6297296dc1c0e739097ed46058e3faa4ae437566c042d45e63a8c9a65adc
-
C:\Windows\Windows.exeMD5
b3dcf29a3d7752f8013911af1fbebbd1
SHA1f430b6aeeef4e4c661f135e7a1c2dfacec22022f
SHA2565d500eea014b83738a491106e3dc889f15f5513f131099169d73416d3b2b6b59
SHA512e63494361961e1244c3584ad52c1af239f038c582c858f0f0746b1507e2e71e0915e6297296dc1c0e739097ed46058e3faa4ae437566c042d45e63a8c9a65adc
-
memory/1652-2-0x0000000000000000-mapping.dmp
-
memory/1932-5-0x0000000000000000-mapping.dmp